Em 05-06-2014 16:27, Theo de Raadt escreveu: > There are two main open-source processes for dealing with discovery of > security issues and disclosure of that information to the greater > community. > > - One common process is that generally followed by OpenBSD. In this > proocess a bug is found, and a fix is commited as soon as the > improvement is known to good. Then if an asssement has been done, and > it is determined to be important, disclosure occurs, of course after > the commit is already public. Everyone including the vendors had the > opportunity to get the information in a fair and equal way. > > - The other main process used by some open source groups, is to > quarantine important repairs. A fix is firsst disclosed all affected > parties, or at least the right concerned subset. This creates a delay > before information availability, but the coordination is intended to > provide a benefit. Everyone generally gets the information in a fair > and equal way. > > Both processses have their place. Each software group has their own > limitations and needs which will drive their selection. > > > Is clear that the second process -- intending to also take an ethical > path for disclosure -- should not specifically exclude a part of the > community. > > > Unfortunately I find myself believing reports that the OpenSSL people > intentionally asked others for quarantine, and went out of their way > to ensure this information would not come to OpenBSD and LibreSSL. > > There, I've said it. That's exactly my though. Specially, because FreeBSD and NetBSD were warned, but not OpenBSD. If this was only a rant or any childish behavior from them, it's something stupid and, of course, not the right thing to do. But hey, we're all human. My real concern is if this something else, a hidden agenda, in that this "stupid disclosure" was indeed, carefully planed. One can never have too many conspiracy theories. Specially after what has been happening the last year. Thanks for the clarification.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
